From 3f62a590b02bf4c888a995017e2575d3b2ec6ac9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 12 Sep 2023 18:59:44 +1200 Subject: [PATCH 1/2] CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default The rpcecho server is useful in development and testing, but should never have been allowed into production, as it includes the facility to do a blocking sleep() in the single-threaded rpc worker. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474 Signed-off-by: Andrew Bartlett --- docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml | 2 +- lib/param/loadparm.c | 2 +- selftest/target/Samba4.pm | 2 +- source3/param/loadparm.c | 2 +- source4/rpc_server/wscript_build | 3 ++- 5 files changed, 6 insertions(+), 5 deletions(-) diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml index 8a217cc7f11..c6642b795fd 100644 --- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml +++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml @@ -6,6 +6,6 @@ Specifies which DCE/RPC endpoint servers should be run. -epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver +epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver rpcecho diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 02dd602de7a..4cbcb49b28c 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2730,7 +2730,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default"); lpcfg_do_global_parameter(lp_ctx, "max connections", "0"); - lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver"); + lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver"); lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns"); lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true"); /* the winbind method for domain controllers is for both RODC diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index dc931280552..c9b93cf9fd0 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -781,7 +781,7 @@ sub provision_raw_step1($$) wins support = yes server role = $ctx->{server_role} server services = +echo $services - dcerpc endpoint servers = +winreg +srvsvc + dcerpc endpoint servers = +winreg +srvsvc +rpcecho notify:inotify = false ldb:nosync = true ldap server require strong auth = yes diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 39cf3af8dd6..71925d8b24a 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -879,7 +879,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL); - Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL); + Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL); Globals.tls_enabled = true; Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE; diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build index 0e44a3c2bae..31ec4f60c9a 100644 --- a/source4/rpc_server/wscript_build +++ b/source4/rpc_server/wscript_build @@ -33,7 +33,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho', source='echo/rpc_echo.c', subsystem='dcerpc_server', init_function='dcerpc_server_rpcecho_init', - deps='ndr-standard events' + deps='ndr-standard events', + enabled=bld.CONFIG_GET('ENABLE_SELFTEST') ) -- 2.25.1 From 18d4a875383e9452e20da48dff93b5f110eec9b1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 12 Sep 2023 19:01:03 +1200 Subject: [PATCH 2/2] CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC The rpcecho server in source3 does have samba the sleep() feature that the s4 version has, but the task architecture is different, so there is not the same impact. Hoever equally this is not something that should be enabled on production builds of Samba, so restrict to selftest builds. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474 Signed-off-by: Andrew Bartlett --- source3/rpc_server/wscript_build | 1 + 1 file changed, 1 insertion(+) diff --git a/source3/rpc_server/wscript_build b/source3/rpc_server/wscript_build index 341df41a321..5ed81283395 100644 --- a/source3/rpc_server/wscript_build +++ b/source3/rpc_server/wscript_build @@ -38,6 +38,7 @@ bld.SAMBA3_BINARY('rpcd_rpcecho', RPC_WORKER RPC_RPCECHO ''', + for_selftest=True, install_path='${SAMBA_LIBEXECDIR}') bld.SAMBA3_BINARY('rpcd_classic', -- 2.25.1